Enable x-pack without ssl on kibana and elasticsearch using helm chart

hello,

I have installed kibana and elasticsearch into K8s using helm chart.
I want to enable the x-pack to get user management and roles in the kibana dashboard, but without using the ssl and certificate configuration.

could any one provide me with the solution please.

Thank you in advance.

You can not use authentication and role-based access controls in Elasticsearch without configuring SSL/TLS as this would lead to credentials being sent across the network to and between nodes in clear text.

See this thread for a similar discussion.

ok then could you please tell me how to create and elasticsearch certificate using kubernetes because I don't know how to access bin/elasticsearch I have chacked this https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html#node-certificates

but then I can't use these commands on kubernetes , I am new in all these maybe my questios seems stupid but I really don't know how to even get a path could you please help me

As far as I know you typically create certificates externally and then pass them into the containers as described in the docker image documentation. There may be other ways to do it I will have to leave it to others as I am not familiar with the helm charts.

for that can I generate a certificate using openssl on kubernetes and used for elasticsearch ?

I already created one and I would like to test it but can you please tell me where can I found this path /usr/share/elasticsearch/config because I couldn't access it through the shell

Follow this tutorial to enable user auth without configuring TLS/SSL. By setting discovery.type: single-node in Elasticsearch, you are bypassing the TLS/SSL requirements

However, I strongly recommend against doing so because user credentials are sent over HTTP in plaintext.

I found how to add certificate and I did it now I am getting his error
"Caused by: java.lang.reflect.InvocationTargetException",

Please supply the whole stack trace from the log. We cannot guess the problem from what you have provided.

2019-06-25T10:20:56.882057213Z "Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory",
 I 
2019-06-25T10:20:56.882063036Z "at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]",
 I 
2019-06-25T10:20:56.882068596Z "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:382) ~[?:?]",
 I 
2019-06-25T10:20:56.882074256Z "at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]",
 I 
2019-06-25T10:20:56.882079897Z "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]",
 I 
2019-06-25T10:20:56.882085280Z "at java.util.HashMap.forEach(HashMap.java:1333) ~[?:?]",
 I 
2019-06-25T10:20:56.882120138Z "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:423) ~[?:?]",
 I 
2019-06-25T10:20:56.882136977Z "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:119) ~[?:?]",
 I 
2019-06-25T10:20:56.882143717Z "at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:144) ~[?:?]",
 I 
2019-06-25T10:20:56.882149641Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]",
 I 
2019-06-25T10:20:56.882155163Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]",
 I 
2019-06-25T10:20:56.882168785Z "at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]",
 I 
2019-06-25T10:20:56.882175111Z "at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]",
 I 
2019-06-25T10:20:56.882181018Z "at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]",
 I 
2019-06-25T10:20:56.882228253Z "at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882234700Z "at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882240443Z "at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882246040Z "at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882251927Z "at org.elasticsearch.node.Node.<init>(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882257697Z "at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882263355Z "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882271710Z "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882318705Z "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 
2019-06-25T10:20:56.882344091Z "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.1.1.jar:7.1.1]",
 I 

This is my entire log

this is my configuration esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12

I used kubectl exec -it elasticsearch-master-0 -- /bin/bash to enter the container and generate certificate in the exact path /usr/share/elasticsearch/certs

There is definitely information missing from that log file. The exception printed there is always caused by another error.

This is almost certainly incorrect. You should never be using a CA cert+key for a keystore or truststore.

I just did what they did in the security configuration

I can't see anywhere in that repository where it tells you to use a CA for this. Can you point me to where you copied this from?

this is security example condiguration that they give.

And your example is not the same.

The help charts repo uses elastic-certificates.p12 and you are using ca.p12
I don't know what's in your ca.p12 file, but given the name, I'm guessing that it holds your CA certificate & key, in which case that is the wrong thing to do.

I'll repeat what I said earlier :

The error you are running into has more details than you've provide us. I don't know why your log seem to be cut-off at the point it is, but I really need to see the rest of the error message in order to be able to understand what's causing your problem.

We can solve this, but only if you provide us with the information that we need. Almost all of your replies have been 1 sentence answers, and it's just not enough information for us to help you out. If you want to work this issue out, then you need to do the work so that we can understand the details of what's going on.

Sorry for the delay sir.

I understand what you said and I changed the files now I am using the correct file but I still have error :

so I used the helm chart to install elasticsearch

and then I created 2 files security.yml and Chart.yaml in which I put the configuration provided :

https://github.com/elastic/helm-charts/blob/master/elasticsearch/Chart.yaml
https://github.com/elastic/helm-charts/blob/master/elasticsearch/examples/security/security.yml

and the I executed the command :
helm upgrade --wait --timeout=600 --install --values security.yml elasticsearch ./

but I am getting this error

Release "elasticsearch" has been upgraded.
Error: no objects visited

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.